Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect (repeated) radio range to execute arbitrary javascript in the Home Assistant frontend of anyone viewing the card. This vulnerability is fixed in 0.3.3.
AnalysisAI
Stored cross-site scripting in MeshCore Card (Lovelace card for Home Assistant) prior to 0.3.3 allows any MeshCore radio node within direct or repeated mesh range to inject JavaScript into the Home Assistant frontend by setting a malicious node name. Exploitation requires a victim to view the card, and no public exploit has been identified at time of analysis, though the GHSA-5vrg-xpcj-xppc advisory confirms the issue and the 0.3.3 fix.
Technical ContextAI
MeshCore Card (cpe:2.3:a:jpettitt:meshcore-card) is a third-party Lovelace custom card that surfaces telemetry from MeshCore - a LoRa-based mesh radio protocol - inside the Home Assistant web UI. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): node names received over the radio mesh are interpolated into the card's DOM without HTML escaping, so any attacker-controlled string in a node-name field becomes live HTML/JavaScript in the browser. Because MeshCore relays messages between nodes, a hostile node does not need direct RF line-of-sight to the victim's gateway - it only needs to be reachable via any chain of intermediate relays, which materially expands the attack surface beyond a single radio hop.
RemediationAI
Upgrade meshcore-card to 0.3.3 or later, which is the vendor-released patch per advisory GHSA-5vrg-xpcj-xppc (https://github.com/jpettitt/meshcore-card/security/advisories/GHSA-5vrg-xpcj-xppc); in HACS, update the card and force a browser hard-refresh so the cached resource is replaced. Until the upgrade is applied, compensating controls include removing the MeshCore card from any Lovelace dashboards (the underlying MeshCore integration data can still be used in templates without rendering node names through the vulnerable card), restricting which MeshCore nodes are accepted/displayed by allowlisting trusted node IDs at the integration layer, and segmenting the Home Assistant frontend behind a separate browser profile so a successful XSS cannot piggyback on other authenticated sessions - the trade-off being reduced dashboard convenience and the manual overhead of curating a node allowlist.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32972